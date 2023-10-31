The risk associated with dependence on a particular cloud provider for multiple business capabilities is in the top five emerging risks for organisations for the second consecutive quarter, according to a survey of 294 risk executives by research and consulting firm Gartner.

Third-party viability ranked first among the top five emerging risks, with 73% frequency, followed by evolving socio-political expectations, with 69% frequency. Mass generative artificial intelligence availability and cloud concentration risk ranked third and fourth, with 68% and 62% frequency, respectively. Personal data regulatory fragmentation rounded off the top five, with 59% frequency.

“The risk associated with cloud concentration is fast losing its ‘emerging’ status, as it is becoming a widely recognised risk for most enterprises,” said Ran Xu, director, research, Gartner Legal Risk and Compliance Practice. “Many organisations are now in a position where they would face severe disruption in the event of the failure of a single provider,” said Xu.

Third-party viability and mass generative AI availability made the top five for a second consecutive quarter as well, with third-party viability topping the list on both occasions.

“Third-party viability’s continued position reflects ongoing shifts in supply chain networks, uneven inflationary effects and continued labour pressures, stoking fears that third parties may become insolvent,” said Xu. “Mass generative AI availability is concerning risk leaders because almost everyone now has easy access to AI models with nascent (or nonexistent) guidelines in place.”

Cloud Concentration

The survey found that the risk associated with cloud concentration has arisen from the decision made by many enterprises to concentrate their IT efforts on a small number of strategic providers, to lower IT complexity and, consequently, risk, cost and skill requirements.

The problem is compounded by the dominance of a small number of hyperscale vendors in global and regional markets because of their superior technological prowess, partner ecosystems and business reach.

“Where organisations have chosen to go the route of hosting their IT services in public clouds, there aren’t many obvious ways to avoid concentration risk, while keeping the benefits of cloud services,” said Xu.

According to Gartner, there are three main potential consequences of this risk:

Wide Incident Blast Radius: The more applications (and business processes) depend on a particular cloud provider, the greater the potential breadth of impact of a cloud service issue, which may heighten business continuity concerns.

High Vendor Dependence: Concentrated dependency on a particular vendor can reduce future technology options and allow vendors to exert significant influence over the organisation's technology future.

Regulatory Compliance Failures: Enterprises may be unable to meet regulatory demands to address concentration risk across different regulatory bodies, which may have different approaches to concentration risk.

“If the benefits of public cloud use are considered strategically important to a business, there are not many obvious solutions to remove the risk altogether. That’s why it is especially important that businesses have a well-considered continuity plan to put into action, should they face any major cloud service issues,” said Xu.